Much has been written about "application services" - delivering the functionality of application software over the Internet, rather than the traditional method of running the software inside a company's firewall. Most discussion around this model has centered on delivering enterprise resource planning (ERP) application functionality as a service. Applications like Oracle Financials, PeopleSoft HR and SAP R/3 are managed off-site at an application service provider (ASP) while corporate users access the application functionality across the Internet.

Does the application service approach apply to security software? Do applications such as anti-virus, intrusion detection, firewall and vulnerability assessment lend themselves to being provided as Internet services? Given some initial experience in delivering security applications as Internet services, not only does the ASP model apply, it appears that the uptake of security application services will be faster than the uptake of hosted ERP solutions.

First, some definitions. For the sake of argument, let's define the methods to deliver security applications to corporations:

Courier Delivery. This is the dominant way that software is delivered today. Vendors burn their software application on a CD, put the CD in a box, put the box on a truck, put the truck on the road, and deliver the box to the customer site. When it finally finds its way off the loading dock, it is given to the IT team whose responsibility it will be to configure, implement, and maintain the software from this time until eternity. Of course, the courier charges can be avoided if the software is downloaded off the vendor's website, but the onus of managing the software still falls on the IT staffs' shoulders.

Managed Service Delivery. A managed security service typically involves outsourcing many aspects of software and policy management to third parties. Managed services are usually a part of complex security implementations (VPN installations, intrusion detection and response, etc.) and they typically have a large component of human involvement (i.e., consulting). Because of the high cost of human labor required to plan, implement, monitor and maintain these installations, managed services tend to be quite expensive.

Application Service Delivery. I define a security application service as one that requires little or no human intervention from the customer to receive the promised level of protection or from the vendor to actually deliver the committed service level. This new approach to security software delivery requires a new class of self-managing, self-reporting application services that off-load security software management to a set of application servers hosted on the Internet.

Let me give two examples of security application services and how they differ from the traditional approaches.

A traditional managed security audit requires weeks of planning and implementation before a client actually gets what they are paying for: a report detailing what systems are vulnerable to attack and how to fix those systems. A customer calls a consulting firm, they run a security scan using a vulnerability scanning software application, and after month or so, they have a report outlining the vulnerabilities found on the network systems. With the application service version of such a scanner, the "time-to-report" is reduced from months to minutes, the cost from thousands of dollars to hundreds of dollars. A customer simply comes to the website of a company providing online vulnerability scanning services, enters the IP address(es) they want scanned, and an on-line version of the scanner launches across the Internet, performs the many hundreds of attacks in its database, and delivers its report to the IT professional. The time it takes to generate this report of a single device is less than five minutes. Now, that professional can decide how to fix the problems uncovered by the audit - rather than managing the software or the consultants to get to this desired result.

Here's another security application service example, this time in anti-virus. Anti-virus is probably the most challenging software application any corporation has to manage. Unlike Microsoft Office, which might be updated every two years, anti-virus software might be updated as frequently as once a day. In environments large and small, this can pose a daunting challenge. Certainly, anti-virus vendors have provided tools to help mitigate this problem, but given the spread of viruses, for most businesses managing their anti-virus is either not a priority or too complicated. What is needed is a service that can propagate virus cures faster than viruses can propagate.

An automated application service can remove the process of anti-virus management. Simply put, once the new anti-virus scanning agent is installed on each desktop protected (by clicking on a URL which downloads the software), the application becomes self-managing. Every day upon boot-up and on a scheduled basis, the agent calls the anti-virus website looking for updates (the end-user doesn't even know it is happening). If there are any updates, they are automatically installed. At the same time the agent leaves data about itself at the website - how many viruses has it found, when was the last time it was updated, etc. The website can then roll up aggregate reports from an entire customer site, so once again the IT manager has a report to understand exactly what is going on in their environment - and so they can see that they are getting the promised service level.

The implications of this radical new approach to security service delivery impact both vendors and IT customers. Vendors cannot just put a browser on their applications, and call it an application service. The applications need to be fundamentally rewritten to deliver their functionality across the Internet. Also, this approach requires the addition of entirely new delivery software architecture. Instead of a shipping department to put boxes on trucks, we now need server farms that can intelligently and securely distribute, manage, update and report on millions of security agents located on systems across the world.

Interestingly enough, I believe customers will benefit even if they choose to manage the software themselves. Why? As software vendors offer to manage security applications for you, you will see an amazing drop in the complexity of the software we ship. Gone will be the days when we ship you a software product and dare you to make it work. Once we have to eat our own dog food, believe me, we will make the software very manageable. Also, I don't believe either managed services or application services will entirely relieve the burden of SECURITY management from IT professionals. What it will relieve is the enormous burden of SOFTWARE management, which is a major component of the total cost of security software ownership.

How quickly will it take for customers to adopt this new approach? I believe it will happen quite rapidly. In Network Associates' first year of providing security application services, over 2,500 corporate customers purchased the services. Small-to-medium sized companies choose application services because adding the complexity of security management will either break the bank, or break the back of the poor person who is already managing the network, the website, the desktops and the servers. Some large organizations adopt the approach because they are focusing their IT resources on what differentiates their business and adds to the bottom line (given the choice to hire a person to either support e-commerce transactions on your website or manage corporate anti-virus, which would you choose?). Other organizations use a hybrid approach to security, managing their headquarters' network security with classic software applications software, but supporting their remote users/sites with an application service model.

While 95 percent of software today is delivered through a "Courier Service Provider" it is clear that the application service model is appropriate for a number of security applications. And the beauty of it is that it really works.

Zach Nelson is chief strategy officer, Network Associates, Inc (www.nai.com). Network Associates began the process of delivering security application services across the Internet almost three years ago, and today has more than five security application services customers can choose from (www.mcafeeasap.com).
 

SC On-Line
SC Magazine
www.scmagazine.com